Maybe we can just block link type=* ? ----- Forwarded message from Andrew Rodland <[EMAIL PROTECTED]> -----
From: Andrew Rodland <[EMAIL PROTECTED]>
Organization: Dis Organization
To: [EMAIL PROTECTED]
Subject: Anonymity filter breakage
I've come up with another way to bypass the anonymity filter, in the spirit of
the "IE allows sites to compromise your anonymity" attack, except this one is
far from IE-specific.
In fact, it works (so far) on IE, Konqueror, and K-Meleon (assuming Mozilla as
well, it's all gecko).
All it takes is to generate a piece of CSS that says:
body { background-image: url(http://www.somewhere.com/something.png) }
and upload it _as text/plain_, and then in your page say
<link rel="stylesheet" href="my stylesheet.txt" type="text/css">.
Every browser I can find will infer from the tag that the file should be
interpreted as CSS, even though the server reports that it's text/plain.
I don't see any way for the filter to handle this, except to get paranoid and
even warn on text/plain files. Really it's a browser issue, but the "correct"
browser fix would probably cause problems on a bunch of broken http servers
(not that that's the browser's fault, but it would make many unwilling).
Maybe it is time for a freenet browser, based on fcplib and a custom gecko,
that doesn't even know what HTTP is.
(and/or a web browser that's incredibly tight about privacy and anonymity)
Anyway, Cheers
--hobbs
----- End forwarded message -----
--
Matthew Toseland
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Freenet/Coldstore open source hacker.
Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03
http://freenetproject.org/
msg06050/pgp00000.pgp
Description: PGP signature
